Keeping track of compromised endpoint or remote attackers/server IP is fundamental for understanding the entity of possible attack and the spreading capabilities of a certain malware and recently I was looking at some malwaretech bot analysis and saw his map, that’s definitely an easier way to help people understand what we are talking about instead of watching a humongous list of IPs.
For this reason I’ve built a really rough indeed, simple web interface for showing those data.
Using a .py script with the IP list file a json file will be created and the interface will show the content of the json file.
In that json we can find when it’s been detected, a brief description of the malware type and his location.
The malware descriptions are picked from a malware.list file where in each row we have the name of the malware, his color in hex value and his description.
In first place we have a legend of malware type where simply clicking on it will turn them on or off on the map, in the top left corner we have the top 3 country by number of endpoints, on the bottom left the latest attack with IP and location.
Clicking on a endpoint will show his IP, specific location, date and malware with his description.
I’ve built 2 different map, one with some random malware (IPs gathered on alien vault) as example [here] and a second one with the IPs that I’ve discovered/will discover(hopefully) in the future from further analysis [here].
You can find the whole project with documentation in my repo: github repository